Apple Safe Files List: Staying On Top of Malware Definitions

Apple does a pretty good job at making Mac OS X easy to use, but the company’s efforts to shield users from the system’s underpinnings sometimes means we don’t have access to important details about things like whether or not Snow Leopard users have the most recent Safe Files database for Safari downloads, or detecting the MacDefender malware.

Mac OS X 10.6.7 users that installed Security Update 2011-003 can potentially receive a new definition file daily, although there isn’t a clear way in the OS to tell whether or not a new file is available, or if it has been installed. The security update was issued to help protect Mac users from the MacDefender trojan horse application that tries to scam victims into giving up credit card account information.

MacDefender looks like a legit app, but it isn’t

The security update was released on May 31 to detect MacDefender, and by June 1 a variant that bypassed Apple’s efforts was already on the Internet. Apple released an updated definition list by June 2 that recognized the variant, and the new list — at least in theory — should be on user’s computers within 24 hours.

The problem for users that want to keep on top of whether or not they have the most current definition list installed is that Apple doesn’t provide any feedback to indicate regular update checks are happening, or that a new safe file definition list has been installed.

Even though Apple doesn’t offer any way of knowing whether or not a new definition file is available, it’s at least possible to find out when your list was last updated. The file that Apple updates is called XProtect.plist, and it’s hidden away deep in Mac OS X.

The path the XProtect.plist is /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist which isn’t exactly a place most Mac users would stumble across. Getting at the file involves opening a bundle file, by right-clicking or Control-clicking the CoreTypes icon and selecting Show package contents from the pop-up menu.

Opening CoreTypes.bundle reveals its contents, which includes the Resources folder that leads to the elusive XProtect.plist file. A quick check of the file’s modification date can tell how long its been since it was last updated, but that doesn’t tell offer up any clues as to whether or not it’s the latest version — and that’s a lot of work just to check a file modification date.

Along with a list of files to avoid, XProtect.plist also includes handy details like the list’s version number. When Apple rolled out Security Update 2011-003, the version number was 1. When the new list that includes definitions for the MacDefender variant, the version number incremented to 2.

Since digging around in bundles and looking inside plist files isn’t the best way to check file modification dates and version numbers, we put TMO’s own coding wizard Adam Christianson on the task to make the task easier. The result was Safe Download Version, which is an application that shows your current Safe File definition list version number along with the last time the list was updated.

Safe Download Version in action

Safe Download Version makes it easy to find out when your safe file definition list was last updated along with your list’s version number, but it can’t tell you when Apple last updated its definitions. That’s something Apple will have to change.

Until Apple makes it easy to find out if you have the latest definition list installed, we’re stuck with word of mouth — meaning we have to rely on our friends to tell us what version they’re running and then compare that with the version that’s on our computers.

We’ll also have to deal with what appears to be a bug in Apple’s auto-update system. Some users are reporting that they aren’t receiving the updates unless they disable and then reenable the auto-check feature. Here’s how:

Launch System Preferences

Select the Security Preference Pane, and then choose the General tab

Uncheck Automatically update safe downloads list

Recheck Automatically update safe downloads list

Toggle the safe downloads option to force a definition update

Apple will most likely fix that bug with a future software update, and maybe they’ll make it easier to check version numbers and update times at the same time. Until then, we’re on our own.

I’ve just installed this update and I have two “XProtect” plist files at the location you list.

XProtect.meta.plist contains the date last modified, as a string, and the current version number as an integer. Currently this info is “Fri, 03 Jun 2011 00:13:07 GMT” and version 3.

XProtect.plist - the filename you’ve originally list in your article - is actually the definitions/profiles of each of the virus that will be detected. There are currently four MacDefender definitions: A through to D.

The modification date on each plist is actually the local time at which the download occurred - not when they were updated by Apple.

I just noticed something that I don’t think that was there before the May 31st update. However, I don’t know if it is a Safari/OSX thing or the 3rd party Safari Cookie plugin, but maybe I am just slow on the uptake. Anyway, in the Safari Plugin preference pane there is a column for “Secure” where it lists cookies and databases.